True Record
Back to Home

Subprocessor List

Last updated: December 12, 2025

Note: We're an early-stage company and will keep this document updated as our policies mature.

1. Introduction

True Record engages certain third-party service providers ("Sub-processors") to assist in delivering our services. This page lists all Sub-processors who may process customer data, including their purpose, data types processed, and data regions.

This list is maintained in accordance with our Data Processing Agreement and GDPR requirements.

2. Notification of Changes

We will notify customers of changes to our Sub-processor list by:

  • Updating this page with the effective date
  • Email notification for material changes (addition/removal of Sub-processors)
  • 30-day advance notice for new Sub-processors

Customers may object to a new Sub-processor within 30 days of notification. See our Data Processing Agreement for details.

3. Current Sub-processors

SalesforceDPA

Core service integration - OAuth authentication, data sync, duplicate detection

Data Types Processed:

  • Org identifiers
  • Salesforce tokens (encrypted)
  • Record snapshots for matching
  • User email addresses

Data Region:

Customer-specific (based on Salesforce instance region)

Privacy Policy:

View Privacy Policy

Additional Information:

Data residency follows customer Salesforce instance location. We only store encrypted OAuth tokens and minimal record snapshots needed for duplicate detection.

OpenAIDPA

Embedding generation for AI duplicate detection

Data Types Processed:

  • Configured field text used for matching (e.g., name, email, phone)
  • Org identifier and object metadata needed to scope the request
  • Embedding vectors (results cached in our database)
  • Token usage totals for billing

Data Region:

US

Privacy Policy:

View Privacy Policy

Additional Information:

Inputs are limited to the fields you configure for matching. OpenAI does not use the data for model training. Embeddings are cached until the record changes or the org is removed.

Neon (PostgreSQL)DPA

Primary database storage

Data Types Processed:

  • All application data
  • Encrypted Salesforce tokens
  • Audit logs
  • Match results
  • User account information
  • Organization settings

Data Region:

US East (AWS us-east-1)

Privacy Policy:

View Privacy Policy

Additional Information:

Serverless PostgreSQL database. All data is encrypted at rest and in transit.

VercelDPA

Application hosting and edge functions

Data Types Processed:

  • Request logs (minimal)
  • Analytics data (anonymized)
  • Function execution logs

Data Region:

Global edge network (US primary)

Privacy Policy:

View Privacy Policy

Additional Information:

Hosting provider for the application. No user data is stored by Vercel, only application code and request metadata.

StripeDPA

Payment processing and subscription management

Data Types Processed:

  • Billing email
  • Payment information
  • Subscription status
  • Customer ID

Data Region:

US (with global replication)

Privacy Policy:

View Privacy Policy

Additional Information:

Payment card data never touches our servers - handled entirely by Stripe.js. We only store Stripe customer and subscription IDs.

ResendDPA

Transactional email delivery

Data Types Processed:

  • Email addresses
  • Invitation tokens (temporary)
  • Email content (not stored after delivery)

Data Region:

US

Privacy Policy:

View Privacy Policy

Additional Information:

Email service provider. Email content is not stored after successful delivery. Only used for transactional emails (invitations, notifications).

4. Data Processing Standards

All Sub-processors are required to:

  • Sign data processing agreements with data protection obligations equivalent to our DPA
  • Implement appropriate technical and organizational security measures
  • Comply with applicable data protection laws (GDPR, CCPA, etc.)
  • Only process data as instructed by True Record
  • Notify us of any data breaches without undue delay
  • Maintain compliance certifications where applicable (SOC 2, ISO 27001, etc.)

5. Data Transfers and Safeguards

5.1 International Transfers

Some Sub-processors are located in or may transfer data to the United States. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Sub-processor data processing agreements with equivalent protections
  • Supplementary measures where appropriate to ensure GDPR compliance

5.2 Salesforce Data Residency

For Salesforce integration, data residency follows your Salesforce instance region. True Record only stores minimal record snapshots in our primary database (US East) for duplicate detection.

6. Export and Download

You can download this Sub-processor list for your records. This list is updated regularly and the "Last Updated" date is shown at the top of this page.

7. Questions and Objections

If you have questions about our Sub-processors or wish to object to a new Sub-processor, please contact:

We will respond to inquiries within 5 business days and objections within 15 business days.

Summary

Total Sub-processors:

6

With DPA Coverage:

6

Last Updated:

December 12, 2025

Related Documents

Privacy PolicyData Processing AgreementSecurity & FAQ